Paul vs. John - Information Security Then & Now
(Why Paul Got More Press But John Lived Longer)

by John Edmiston (Cybermissions) with advice from Pete Holzmann (ICTA)

Differing
approaches to missionary security go back as least as far as the New Testament.
On one hand we have Paul, whose incredible boldness caused concern to others
and who had to be rescued from rioting mobs on numerous occasions. Paul
attaches long lists of names to his epistles, freely discloses his travel plans
and is 'completely out in the open' as far as information security goes. He
even goes to Jerusalem despite the warnings of close friends, prophets such as
Agabus - and to the obvious discomfort of James and the brethren. For Paul
security was simply not a major concern.

On
the other hand we have the apostle John. His brother James is beheaded by Herod
(Acts 12:1,2); next, his good friend Peter is arrested and put in jail,
awaiting execution. At this point John is the only 'free' member of the three
apostles who were closest with Jesus (Peter, James and John), and so John 'vanishes'
from the record of Acts, and even from the greetings at the end of Paul's
epistles - which is rather strange considering both men ministered in Ephesus!
For forty-five years or so we hear nothing of John until his gospel, epistles
and Revelation appear in the eighties and nineties AD. And when they do appear
they are coded and cryptic, they do not have long lists of names and personal
greetings nor do they give detailed travel plans. They say things such as: 3
John 1:13-14 MKJV I had many things to write, but I will not write to you
with pen and ink, (14) but I trust I shall shortly see you, and we shall speak
face to face. Peace be to you. The friends greet you. Greet the friends by
name.

John
seems to have been much more security conscious than Paul – and yet both were
undeniably apostles and very great men of God who helped shaped both the
Scriptures and the Church. As one wit remarked when I pointed this out, ‘Paul
got more press, but John lived longer!'

Undoubtedly
personality, theology and temperament had a lot to do with their approaches,
but the type of persecution
each faced was significantly different. Paul's early experiences of persecution
were from bands of Jewish agitators who had limited ability to intercept his
letters to the churches. There is no N.T. record of systematic,
government-level persecution of Paul (who seems to have easily made friends
with Roman officials).

For
Paul, standing up to the agitators who were trying to silence both him and the
gospel was the correct thing to do. Paul also had the context of being single (
1 Cor 7:8) and thus did not have to consider protecting his family.

In
contrast, John 's experience of persecution was at a government level – first
the insane Herod, and later the persecution of Diocletian where any misspoken
phrase or loose scrap of paper could lead to someone being burned alive. For
John, keeping the Church safe from inadvertent catastrophe was the priority. John
was also probably married (1 Cor 9:5), and that would have been a contributing
factor to his security-consciousness. Both approaches to security are found in
missions work today –sometimes in the same organization, and this can result in
some very significant tensions.

This
may be going a bit far, but I think the very different approaches that Paul and
John had to information security largely prevented their networks from working
together, even when in the same city (such as Ephesus). John's network leaders
would simply have felt unsafe around Paul and his disciples. While they would
have preached the same Christ, they would have had different leadership
structures, different house churches and baptism policies (Paul baptized on the
spot, but there is much evidence that in other areas there was a long testing
period to weed out false disciples first) and different methods of operation.
In time Paul's networks combined with Peter's and coalesced into the Western or
Roman church, while John's network remained distinct and became the Orthodox Church
of today.

Differing
approaches to security may also have been part of the reason for the historic
WEC/UFM split towards the end of the life of missionary pioneer C.T. Studd.
Even today there are tensions both within and between agencies. Trust is broken
easily and takes a long time to build. A head office wire transfer containing
too much detail e.g. 'for Bibles' can alienate the field staff whom it impacts.
And a single foolish mistake by an unwise youth on a short-term missions trip
can result in that whole agency being 'blacklisted' by other agencies working
in the same country.

In
the rest of this article I will focus on 'information security' – that is, how
we separate out the information we keep secure from that which we keep out in
the open for all the world to see. And I will also ask the question: “How do we
create a culture of caring about the consequences of communication?” Because,
as the WW2 poster used to say, “Loose lips sink ships.'

What
Is Information Security?

Information
security, computer security and information assurance are closely related but
different terms.

Information
security is wider than computer security and deals with information as a whole
and so may concern something written by hand or even oral communication.
Information security will include the terms and language you use, as well as
all the communication media – landlines, mobile phones, Skype, laptops, PCs and
various hand-held devices.

Information
security experts use terms such as confidentiality, integrity, authenticity,
possession, utility and availability of information. I will boil all this down
to the identification, separation and preservation of confidential
information that could potentially compromise your ministry. Identification
means you have policies that help people accurately identify what is
confidential (finances and specifics such as names, places, and meeting venues)
and what is not confidential (general publicly available information about your
agency). Confidential information is any specific, real-time information (in
contrast to general statements) that can form a basis for action by an enemy.

Separation
means you wall the information off so that (supposedly) only those who should
see it, do see it. A safe or an encrypted hard drive is a simple form of such seaparation as is a locked file cabinet or an old briefcase used just for confidential papers. Preservation means that the information is kept intact and can be retrieved in an intelligible format. This inclludes such things as backups, decryption keys, virus-scanning to prevent data corruption, and checking of physical media to ensure that data is not scrambled.

What
Missions Are Currently Doing In This Area

I
did some research into this issue in the form of an online survey that was
answered by 62 people (full survey analysis available upon request). In brief, the
most security conscious were listed as being: a) Western missionaries, b) the
IT staff and c)those in creative access ministries. Those who were least
security conscious were listed as being: a) older missionaries, b) head office
bureaucrats, c)those who preferred to 'just trust the Lord', d) those whose
work computer was also their home computer, e) supporters back home, f) partner
ministries that use inappropriate stories in publications and g) some national
missionaries.

Many
of the responses indicated a high level of emotion among many of the survey
participants with some 'us vs. them' polarization occurring between the most
security conscious and least security conscious groups due to their differing
age, as well as their cultural and theological perspectives. People reported
anger and confusion around the implementation of information security policies
and people divided between 'we trust God and pray' and those who want
absolutely every possible security contingency covered (which is not
practicable).

The following question was asked about the kind of security policies that were
in place: Do you have specific policies for security in regard to: (tick all
that apply) (Statistics were only taken from completed responses)

Email - 71%

Viruses, mlaware, phishing, scams - 58%

Server network security - 50%

Web browsing - 47%

Laptop security -42%

Use of Internet cafes - 37%

Hard-drive encryption - 26%

USB / Thumb drives - 26%

Other - please specify - 24%

I have no idea of what policies we may or may not have - 16%

We do not have any information security policies - 11%

I
found it remarkable that over a quarter (27%) either had no information
security policies or had no idea of what such security policies were. Email,
viruses and server security seem to be the main concern of the security
policies that did exist.

Covenanting
To Keep Each Other Safe

Because
of the Internet, links between missionaries in different agencies are now very
extensive, and missionaries in an agency with good security practices may be
compromised by a missionary in another agency with very poor security
practices. Security is only as good as the weakest link, and the weakest link
is often in the publicity department at mission HQ! The dramatic stories that
are good for fund-raising are also the material that can cause serious problems
on the field. We have to covenant to keep one another safe.

At
a recent large missions gathering in Thailand, the story was told of people
visiting a certain closed country on a short-term missions trip, who were
expressly told not to hand out tracts. On the way home one woman felt it was
her duty to start throwing tracts out the bus window. They were soon arrested
and taken for interrogation by the secret police. Within twenty minutes they
were crying on the floor and within thirty minutes they had divulged the names
of the local pastors and Christian leaders.

We
have to do better than that! We have to care deeply about those who may be
affected by our actions, and that should give us a 'holy restraint' that stops
us doing things like throwing tracts out bus windows in closed countries! That
is why I advocate for organization-wide policies that are understood and signed
off on by everyone from the board chairman to the bus driver on the short-term
missions trip. Detailed information security policies need to be created by
each mission organization to suit its own particular requirements. These
policies should be contained in a single concise document that should be
personally reviewed and signed off on by all staff in each organization,
including the leadership.

Of
course, everything must be held in balance. There are good missionaries who
recognize their lack of

understanding,
and are trusting the Lord to provide needed protection. They would love to act
on the basis of more understanding... yet one thing was stated quite strongly:
the basis of our security is Christ, not policy. No policy can be allowed to
determine what we will or will not do.

How
do we then proceed, given that in many contexts some increase in information
security is desirable? First, information security practices might need to be
greatly simplified to make them more user friendly. As far as possible,
information security should be 'automatic' and built into the software, email
systems and server systems used by missionaries. While it is acknowledged that
perfect information security is impossible, greater security can be achieved by
the thoughtful development of simple yet effective information security
processes. Some of these simplified information security practices could
include:

BASIC SECURITY (All missionaries everywhere, even in free countries)

1.Using free
firewall software such as ZoneAlaram, and free anti-virus software such as AVG
or Avira antivirus and free spyware and root-kit detectors such as Spybot
Search & Destroy and AdAware – and regularly updating them.

2.Use CCleaner to
remove cookies, browser history and general compromising 'junk' from your
computer

3.Give some
consideration to using a non-Windows operating system such as Apple OSX, Ubuntu
Linux, FreeBSD, or OpenSolaris. You can still run your Windows programs by
using a 'virtual machine' such as VMWare and they will run quite quickly. These
non-Windows operating systems are generally quite secure and are far less
targeted by hackers and virus writers.

4.The use of
encrypted PDF files (for example PDFCreator for free software that does this
easily) to store confidential information - especially when sending
attachments. Having to use simple passwords to open files reminds the reader
that they are confidential. For further security the ability to print, or to
copy, cut or paste can be turned off in a PDF file.

5.Use strong
passwords – longer than 12 characters and involving uppercase letters, lower
case letters, numbers and punctuation. The more scrambled up the better. For
instance get a bible verse and take the numbers and jumble them up between the
letters and add some punctuation on the end to get at least 12 characters - so
John3:16 might become J3o:h1n6!?@> a much stronger password.

6.Do not get the
'latest and greatest' - wait at least six months until the security issues have
been found and patches fixed. For new releases of MS Windows or Microsoft
Office, wait one year.

7.The use of the
same free / low-cost 'seamless' encrypted email across all members of the
organization (it is then as pain-free as sending a normal email).

8.The regular use
of Google and other search engines to check what is 'out there' in cyberspace
about the ministry - and even to ask people to remove confidential information
from a website. It may also be wise to Google for any sensitive email
addresses.

9.Training all
staff and partners in the difference between what is 'confidential' and what
can be shared freely, especially when fund-raising or in newsletters.

10.Merge with your
context. For instance, using Linux in Africa or China is fine because it has a
strong following in those places but in some other countries it may look
'geeky' and attract attention. Also, selecting unusual hardware or software
means that a typical user is a) less likely to understand how it works; b) less
likely to have a community of friends who can help them use their technology
well; c) more likely to be identified as an "outlier" simply on the
basis of the unusual tools they use. It's worth considering the selection of
tools that fit in well with those in the neighborhood (whatever that may mean).
This applies not only to OS but also to email practices.

11.Stay away from
politics in all publications and communications both on-field and at HQ, as it
is often a brochure with a strong political statement that alerts a government
to commence surveillance of the organization.

12.Do not publish sensitive
conversion statistics, particularly of Hindus or Muslims, as this will cause
them to defend their religion - by finding and persecuting the converts in that
area.

13.Do not keep any
confidential information of any sort on servers connected to the Internet.

14.Use a
high-quality shredder for all financial and confidential paperwork.

20.
Do not use cellphones in some countries, particularly in police states, as
mobile phones can not only be listened in on, but their microphones and cameras
can be turned on remotely. Removing the battery is the only safe way to prevent
this.

21.
A forest is a great place for a sensitive conversation. It is very hard for
others to listen undetected, even using wireless electronics (which do not work
well in greenery).

22.
The use of free software such as TrueCrypt as a way to create encrypted
hard-drives or encrypted 'file containers'
within hard-drives – and the use of these encrypted partitions for all highly
confidential data. It just
takes a little practice.

23.
Generate as little confidential information as possible. Do not ask for
specifics (such as full names addresses,
etc) that might compromise people.

24.
Keep a low profile, be useful, friendly and non-annoying. Take care with
financial transactions so that no one is ever burned or gets a grudge against
you (and thus has a motive to betray you).

25.
Do not have large, obvious meetings. Do not have all the converts or church
leaders in one place at one time (so they can all be arrested at once).

26.
Train your memory so that records of appointments and other compromising
information does not have to be kept on paper in sensitive situations.

27.
Use a "split messages" policy. If you need to share a confidential
message, break it apart and send via different
paths. You might send one element (e.g. date or location) by email, then make a
phone call or fax to send the rest.

28.
Appoint someone in your team to be your 'security consultant' who updates
computers regularly and who does the necessary nagging that is required to keep
people secure.

29.
There are no effective technical counter-measures that a missionary can take to
counter determined government
surveillance. The missionary must carefully evaluate whether God has called
them to such a situation
and the risk they may pose to themselves, their family and the national church.
Western missionaries can
unfortunately draw unwanted attention to those that they meet with in such
countries.